I'd like to introduce Criminal IP Search Queries, which I've been using for quite awhile now.๐
Should be noted that you need a Criminal IP account to access their services. Most of the results found shows open ports or vulnerabilities mostly because of bad security setups. So I wouldn't recommend trying to log in with these results and accessing exposed data just because it's there. Of course, unless you're willing to face legal consequences that come with that.
- Malicious
- Router
- PLC
- monitoring
- Network Infra
- Web hard
- Media server
- printer
- Webcam
- Search Query : title: "DeadBolt"
- Search Query : tag: "Malicious"
- Search Query : title: "Your files have been locked"
- Search Query : title: "ALL YOUR FILES HAVE BEEN LOCKED"
DeadBolt ransomware is known to encrypt files on NAS devices to demand Bitcoin to decrypt. The pictures above are references of ransomware affecting QNAP NAS devices.
Outdated NAS devices of QNAP with QTS 4.2.x, 4.3.x, 4.4.x and application without update seem to be the targets of this ransomware.
- Search Query : tag: "Malicious" product: "proxy"
- Search Query : var miner = new CoinHive.Anonymous
- Search Query : tag: malicious title: ATTENZIONE!
Coinhive provides javascript codes that can be included on a website's source code by its owners. The problem lies when visitors access the website without the knowledge that these codes take advantage of their systems. Once they access the website, the javascript code takes advantage of visitor processors to mine cryptocurrency. The IPs exposed on Criminal IP may have similar threats like these lying in wait, so I generally don't recommend trying to access websites without that protection.
This screenshot is from the Korean Customs Service Management System. Accessing the website through normal channels will show the usual website and login page, but searching with 'title: "FTAPASS" status_code: 200' allows access into the administrator page. Add 'index.jsp' to the end of address then you can check the files in that admin page.
You can even find flight plans for 'Urban Air Mobility Project' and administrator information of corporate 'S'.
- Search Query : "devolo Magic" title: "Authentication"
- Search Query : "devolo Magic" title: "Overview"
This is a admin page for ethernet adapter. Here we see the results of querying with "devolo Magic" title: "Authentication", we can check it was automatically encrypted as a default option. When searching with the query "devolo Magic" title: "Overview" shows the overview of the system.
Services and devices in a cooling room
KOMIPO's forecasting system identifies issues by forecast analysis and machine learning.
Cisco RF Gateway 1 is a standards-based Universal Edge QAM (U-EQAM) solution for integrating high-speed and high-bandwidth data and video distribution at the edges of cable access networks.
By default, there is an authentication process to prevent unwanted access, but users can check for Ethernet switch information on pages without proper login processes.
Check the following sample references of this issues. You can identify several functions such as storage, reboot and operation time.
As shown here, you can check leaking of information regarding accredited certificates, passports, network information and personnel information.
Logitech Media Server exposed to the attack surface
- Search Query : "Lexmark_Web_Server" status_code: 200
- Search Query : class="popup-modal-container" "Lexmark_Web_Server"